← CABF Ballot Browser
CSC-8 passed

Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B

Code Signing Certificate Working Group

Key dates

Effective date
01 Jun 2021 5 years ago
Voting opened
25 Mar 2021 5 years ago
Voting closed
01 Apr 2021 5 years ago
Discussion opened
18 Mar 2021 5 years ago
Discussion closed
25 Mar 2021 5 years ago

Resources

± Redline https://cabforum.org/uploads/baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.3_redline.pdf Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates v.2.3 (redline)
Document https://cabforum.org/uploads/baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.3.pdf Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates v.2.3

AI Summary

Generated 2026-06-23 21:26 UTC

Ballot overview

  • Ballot CSC-8 v3 updates the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates from version 2.2 to version 2.3.
  • The ballot page says the voting period ended and the ballot passed.
  • The motion was proposed by Ian McMillan of Microsoft and endorsed by Dimitris Zacharopoulos of HARICA and Bruce Morton of EnTrust.

What the ballot changes

  • Makes OCSP optional and requires CRLs instead, including changes in Appendix B for Code Signing and Timestamping certificates.
  • Adds Common Criteria EAL 4+ to the supported key protection crypto modules for EV certificates in light of support for RSA 3072 keys.
  • Cleans up Appendix B AIA value requirements so the issuing CA URL is used instead of the root certificate URL.
  • Removes a clause in section 11.2.1 that conflicted with RFC3161 regarding timestamp responses and the TSA certificate chain.

Approval and voting

  • Voting by Certificate Issuers: 7 total votes including abstentions, with 6 Yes, 0 No, and 1 Abstain.
  • Voting by Certificate Consumers: 1 total vote including abstentions, with 1 Yes, 0 No, and 0 Abstain.
  • The page states the bylaw requirements were met for both Certificate Issuers and Certificate Consumers.
  • The page also states quorum was met.

Relevant dates

  • The ballot page gives the discussion period as starting on 2021-03-18 at 17:30 Eastern Time and ending not before 2021-03-25 at 17:30 Eastern Time.
  • The vote for approval period starts on 2021-03-25 at 17:30 Eastern Time and ends on 2021-04-01 at 17:30 Eastern Time.
  • The revised document lists Version 2.3 effective on 2 May 2021.
  • The relevant dates section lists 2021-06-01 for Appendix A (1), Appendix A (2), section 14.1, and section 16.2, and 2022-04-30 for Appendix A (3).

Compliance impact

  • Appendix A (1): by 2021-06-01, CAs SHALL support minimum RSA-3072 for Code Signing Certificates, Root Certificates, and Subordinate CA Certificates, and SHALL NOT support SHA-1 digest algorithm for Code Signing Certificates.
  • Appendix A (2): by 2021-06-01, CAs SHALL support minimum RSA-3072 for Timestamp Certificates, Root Certificates, and Subordinate CA Certificates, and SHALL NOT support SHA-1 digest algorithm for Timestamp Certificates.
  • Appendix A (3): by 2022-04-30, CAs SHALL NOT support SHA-1 digest algorithm for Timestamp tokens.
  • Section 14.1: after 2021-06-01, the CA shall meet EV Guidelines Section 14.1 for Non-EV and EV Code Signing Certificates.
  • Section 16.2: for EV Code Signing Certificates, Signing Services shall protect private keys in a FIPS 140-2 level 2 or equivalent crypto module; after 2021-06-01, the same protection requirements SHALL apply to Non EV Code Signing Certificates.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2021-06-01
Voting opened
2021-03-25
Voting closed
2021-04-01
Discussion opened
2021-03-18
Discussion closed
2021-03-25
Applicability and conditions

2021-06-01 — CAs must support minimum RSA-3072 and must not support SHA-1 digest algorithm for Code Signing Certificates Appendix A (1): Code Signing Certificates, Root Certificates, and Subordinate CA Certificates

2021-06-01 — CAs must support minimum RSA-3072 and must not support SHA-1 digest algorithm for Timestamp Certificates Appendix A (2): Timestamp Certificates, Root Certificates, and Subordinate CA Certificates

2022-04-30 — CAs must not support SHA-1 digest algorithm for Timestamp tokens Appendix A (3): Timestamp tokens

2021-06-01 — CAs must meet EV Guidelines Section 14.1 for Non-EV and EV Code Signing Certificates Section 14.1 applies to Non-EV and EV Code Signing Certificates after this date

2021-06-01 — Signing Services must protect private keys in a FIPS 140-2 level 2 or equivalent crypto module Section 16.2 applies to EV Code Signing Certificates, and after this date to Non EV Code Signing Certificates

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

0 Yes
0 No
1 Abstain

0% yes · 0% no · 100% abstain

Proposers

Ian McMillan of Microsoft, and endorsed by Dimitris Zacharopoulos of HARICA and Bruce Morton of EnTrust.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix BBallot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix BThe voting period for Ballot CSC-8 has ended and the Ballot has Passed.

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action